PESCAN.IO - Analysis Report Basic |
|||||
| File Structure |
|
| Information |
Icon: Size: 1,04 MBSHA-256 Hash: D427EFCD6164451C4F1F663A9FCA0E7DB0ABFD0BE4AFA6D25753808CC87EF887 SHA-1 Hash: EBD8E8C5A99FB7FF8F1FDD80ACB5A84E783A809E MD5 Hash: B19F8D47C021798B331E33E8A7B9F660 Imphash: 270D1212AAA4FE8812E21A7441C53281 MajorOSVersion: 6 CheckSum: 0010E8AE EntryPoint (rva): 2903B0 SizeOfHeaders: 1000 SizeOfImage: 2AE000 ImageBase: 400000 Architecture: x86 ExportTable: 216060 ImportTable: 2AD608 Characteristics: 102 TimeDateStamp: 67415113 Date: 23/11/2024 3:50:43 File Type: EXE Number Of Sections: 3 ASLR: Enabled Section Names: UPX0, UPX1, .rsrc Number Of Executable Sections: 2 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator [Incomplete Binary or Compressor Packer - 1,64 MB Missing] |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| UPX0 | E0000080 (Executable) (Writeable) | 400 | 0 | 1000 | 1A8000 |
| UPX1 | E0000040 (Executable) (Writeable) | 400 | E7800 | 1A9000 | E8000 |
| .rsrc | C0000040 (Writeable) | E7C00 | 1CA00 | 291000 | 1D000 |
| Description |
| InternalName: TrellixSmartInstall.exe OriginalFilename: TrellixSmartInstall.exe CompanyName: Musarubra US LLC. LegalCopyright: Copyright (C) 2024 Musarubra US LLC. All rights reserved ProductName: Trellix Agent FileVersion: 5.8.3.622 |
| Entry Point |
| The section number (2) - (UPX1) have the Entry Point Information -> EntryPoint (calculated) - E77B0 Code -> 60BE00905A008DBE0080E5FF57EB0B908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11 • PUSHAD • MOV ESI, 0X5A9000 • LEA EDI, [ESI - 0X1A8000] • PUSH EDI • JMP 0X101A • NOP • MOV AL, BYTE PTR [ESI] • INC ESI • MOV BYTE PTR [EDI], AL • INC EDI • ADD EBX, EBX • JNE 0X1021 • MOV EBX, DWORD PTR [ESI] • SUB ESI, -4 • ADC EBX, EBX • JB 0X1010 • MOV EAX, 1 • ADD EBX, EBX • JNE 0X1033 • MOV EBX, DWORD PTR [ESI] • SUB ESI, -4 |
| Signatures |
| CheckSum Integrity Problem: • Header: 1108142 • Calculated: 1146556 Rich Signature Analyzer: Code -> 262BA2B2624ACCE1624ACCE1624ACCE12932CFE06C4ACCE12932C9E0B94ACCE1042531E16C4ACCE1303FC8E0704ACCE1303FCFE07B4ACCE16B3248E1634ACCE1303FC9E0494ACCE12932C8E0744ACCE12932CDE07B4ACCE1624ACDE11F4BCCE1DB3FC9E0664ACCE1DB3FC8E0C448CCE1DB3FC5E05F4ACCE1DB3FCCE0634ACCE1DB3F33E1634ACCE1624A5BE1634ACCE1DB3FCEE0634ACCE152696368624ACCE1 Footprint md5 Hash -> 49D72C2B5AD6FDDDF5DDE12C4B583647 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compression: UPX - Version: 3.08 Detect It Easy (die) • PE: packer: UPX(3.08)[NRV,brute] • PE: linker: Microsoft Linker(14.29**)[EXE32,admin,signed] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 7.70398 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| WS2_32.dll WLDAP32.dll WINTRUST.dll USER32.dll SHELL32.dll RPCRT4.dll PSAPI.DLL CRYPT32.dll COMCTL32.dll ADVAPI32.dll KERNEL32.DLL |
| File Access (UNICODE) |
| TrellixSmartInstall.exe |
| Interest's Words |
| exec ping |
| URLs |
| http://ocsp.globalsign.com/rootr103 http://crl.globalsign.com/root.crl http://ocsp.globalsign.com/rootr30; http://secure.globalsign.com/cacert/root-r3.crt http://crl.globalsign.com/root-r3.crl http://ocsp.globalsign.com/codesigningrootr450F http://secure.globalsign.com/cacert/codesigningrootr45.crt http://crl.globalsign.com/codesigningrootr45.crl http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt http://ocsp.globalsign.com/gsgccr45codesignca20200V http://crl.globalsign.com/gsgccr45codesignca2020.crl http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl https://www.globalsign.com/repository/ https://www.trellix.com/ https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</bsurl https://?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverip https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverNetbios |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | UPX -> www.upx.sourceforge.net |
| Entry Point | Hex Pattern | UPX v0.89.6 - v1.02 / v1.05 - v1.22 |
| Entry Point | Hex Pattern | UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \BITMAP\103\1033 | 247360 | 280E4 | 9E760 | 1CD50EBB8D709FC0BF28047431FF4904DBD2FE48C9E2E65959C9C23B013CA3DF250CE206530448A0214213773D8379089160 | .....p...(.t1.I....H...YY..;.<..%...S.H.!B.w=.y.. |
| \ICON\1\1033 | 291314 | 468 | E7F14 | 280000001000000020000000010020000000000000040000130B0000130B0000000000000000000000000000000000000000 | (....... ..... ................................... |
| \ICON\2\1033 | 291780 | 10A8 | E8380 | 280000002000000040000000010020000000000000100000130B0000130B0000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\3\1033 | 29282C | 25A8 | E942C | 280000003000000060000000010020000000000000240000130B0000130B0000000000000000000000000000000000000000 | (...0........ ......$............................ |
| \ICON\4\1033 | 294DD8 | 4228 | EB9D8 | 280000004000000080000000010020000000000000400000130B0000130B0000000000000000000000000000000000000000 | (...@......... ......@............................ |
| \ICON\5\1033 | 299004 | 10828 | EFC04 | 280000008000000000010000010020000000000000000100130B0000130B0000000000000000000000000000000000000000 | (............. ................................... |
| \ICON\6\1033 | 2A9830 | 3784 | 100430 | 89504E470D0A1A0A0000000D49484452000001000000010008060000005C72A8660000374B4944415478DAED9D79B4674575 | .PNG........IHDR.............\r.f..7KIDATx...y.gEu |
| \DIALOG\101\1033 | 22B310 | 13A | 82710 | 7B0F6CFB9255F082B25085158B4B4CEC6470382B4DB1114DFCB0F9FD19944AC17D0B515BF3BC8F9740DD9A349635E004E8D1 | {.l..U...P...KL.dp8+M..M......J.}.Q[....@..4.5.... |
| \DIALOG\105\1033 | 22B450 | 160 | 82850 | 5F5030ED78AC003FE64F8AD2A2E634E2B8177574D175B6282CCA885256714B1F8FA94B1380D95C386C095E14BD9887057007 | _P0.x..?.O....4...ut.u.(,..RVqK...K...\8l......p. |
| \DIALOG\106\1033 | 22B5B0 | BC | 829B0 | 8B0EBB424F4081E1067202CAE21112A48EA9008C08F2FA732074C118D658934526986B6B68C45873DF7A80060356DE2F7805 | ...BO@...r.............s t...X.E&.kkh.Xs.z...V./x. |
| \GROUP_ICON\102\1033 | 2ACFB8 | 5A | 103BB8 | 00000100060010100000010020006804000001002020000001002000A810000002003030000001002000A825000003004040 | ............ .h..... .... .......00.... ..%....@@ |
| \VERSION\1\1033 | 2AD018 | 360 | 103C18 | 600334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000800 | .4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | 2AD37C | 289 | 103F7C | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • TrellixSmartInstall.exe • 5.8.3.622 • ~wfk. • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U • <bsurl>https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</bsurl> • <serverip>https://?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverip> • <serverNetbios>https://ah-usw003.manage.trellix.com:443/config?token=92b8b7039ae3a199c9dc1608532e56bcbdb7764b</serverNetbios> |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 709992 | 64,9743% |
| Null Byte Code | 80248 | 7,3438% |
© 2025 All rights reserved.